DSA2

[David Shaw]

On Thu, Sep 21, 2006 at 01:38:03PM +0100, Nicholas Cole wrote:
> Dear David and others,
> 
> Thank you for the information you have already posted
> about DSA2 on the list.  Could I ask a few other
> questions:
> 
> I am right that this is not a new algorithm as such,
> it is just the old one with longer key sizes?

Correct.  DSA2 (it's not really called that, by the way.  It's just
what the OpenPGP WG was calling it to differentiate it from the
original DSA) is the same algorithm as original DSA with the ability
to have a larger key size and use hashes other than SHA-1 or
RIPEMD-160.

> And that
> the only reason it has been restricted to 1024 in the
> past is a US standard? Or was there any fear that a
> larger key size with that algorithm would not provide
> security?

Not exactly.  The argument was that a larger key size was not really
useful without a larger hash to go with it.  The "1024 bit key and
160-bit hash" was considered roughly balanced.  Changing one without
changing the other didn't really increase the overall security of the
scheme.

> Is moving to the larger key size something that the
> OpenPGP community is doing by itself, or has it been
> sactioned by any other group?

DSA2 (again, not really called that) is the new US standard.

> Is the new upper limit of 3072 bits picked for any
> particular reason?

Sanity, mostly.  The rough balances between key size and hash size
are:

 1024 bits, 160 bit q size (i.e. regular old DSA)
 2048 bits, 224 bit q size
 3072 bits, 256 bit q size
 7680 bits, 384 bit q size
15360 bits, 512 bit q size

A 7680-bit key is enormous and takes a long time to generate or make
signatures.  A 15360-bit key is all but unusable.

David